Protect Yourself from Brute Force Login Attacks

If you don’t have a secret user name and a very good password, hackers can easily log into your WordPress account as you.

If you have created a password that you can remember, one that you have a chance of typing correctly, well, hackers already know the tricks people use to make a password, thinking it is “secure”. It is Not. With published lists of the top 10,000 passwords (that’s actually small, there are lists with up to 14 million unique passwords that people really used), and some readily available free software to try variations of those passwords, and enough time (a few hours to a few days), they have over 90% odds they will know your password.

I’m going to give you some simple yet very effective ways to stop them. Ways to stop the numerous attempts at your login form. Ways to generate passwords the hackers can’t guess, even if they stole a copy of your database and work on it from home. Ways to make passwords you can remember that the hackers can’t guess.

If instead of trying to get your password via a login form, they steal a copy of the database, or the file with a backup of the database, the encrypted passwords in that are not secure. http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ says, “In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes [encrypted with MD5]. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.” Later it says, “Our top cracker snagged 90 percent of them… Using a commodity computer with a single AMD Radeon 7970 graphics card, it took him 20 hours to crack 14,734 of the hashes, a 90-percent success rate.”

You can not break the encryption of web servers (or any other computers) with modern encryption by “brute force” trying all the possible combinations. But the ways people pick passwords and the ways people alter that word (or occasionally phrase) to make it “strong” are so common that the encryption doesn’t need to be brute force broken. For example, while MD5 (used in WordPress, MySQL, many many other programs) is too tough to crack, if someone guesses that your password is “password” or “password1”, they can calculate the MD5 encryption of those words (using the same software library WordPress, MySQL, etc use, it is free, open source) and simply compare the string they calculated against the string from your database, and every computer programmer learns to compare strings in their first week of programming class. (“5f4dcc3b5aa765d61d8327deb882cf99” and “7c6a180b36896a0a8c02787eeafb0e4c” are the MD5 hashes for “password” and “password1” respectively. Hard for people, simple for computers.)

The table below shows an actual single hour of brute-force attack by guessing passwords. While some attacks are by single IP addresses, this attack is by numerous IP addresses, trying to block this type of attack by “bad IP” is ineffective. Worse, the ever-growing list of bad IP addresses would have to be checked for every request for any file, slowing your entire site.

The attack is usually pretty dumb: even though WordPress reports “invalid user name”, almost every attempt is on “admin”, since that is by far the most common WordPress user name. Some attacks use an author name from posts on the site as the user name. Other attacks tried the site name, or names from the list of “most commonly hacked login names”.

Don’t use “admin” as your WordPress user name, ever. If you are installing, pick a good name. If you have already installed, log in as the administrator, create a new user with administrator privileges and a strong password. Then you should log in with your new user name and delete the user “admin”. The Sucuri plugin or the iThemes Security plugins will do that for you.

(Note: if you have posts with “admin” as the author, change that before deleting; are many tutorials how to do that.)

Have a user name for administrative tasks (with administrator privileges), and a user name for writing and editing posts (with editor privileges). Have the Settings for the administrator, in Users -> Your Profile, Admin Color Scheme be Sunrise (or if that is your favorite, which ever one is most “yuck, wrong colors!” so you don’t forget to use the administrator login only for administrative functions. Don’t write posts as the administrator; you don’t want the administrator user name displayed anywhere on the site.

Keep the Username secret, to make breaking your user name and password harder. Configure WordPress to display publicly something other than the login name: in Users, All Users, Edit, change the Nickname to something other than the Username and change “Display name publicly as” to something other than the Username.

Use passwords that are not in the top 10,000 passwords. I’m not sure whether these are the most used, or the most hacked; either way, hackers know these passwords. Search “1000 password list” or these are good: Worst Passwords “an astonishing 91 percent of all passwords used appear in the top 1000” and a master list of the 10,000 worst passwords. For the hardcore geek, How [Mark Burnett] Collect Passwords. The RockYou huge list does have Harry Potter, current singers, lesser known classical composers; RockYou 55 has 14,000 passwords; unzip with 7Zip or others.)

After good user name and password, the best defense against this type of password-guessing attack is the “Limit Logins” plugin or that feature of the iThemes Security plugin. (Use either one, not both.) Whitelist your private IP address (never the coffee shop IP!) if you want. Set a tight number of attempts (3 should be enough unless you are a terrible typist, slow down and get it right the third try), and set a 30 minute or longer lockout period. Why 30 minutes? I just got 1600 tries in an hour; if they need 10,000 tries to guess my password, they have it in 6 hours. At 6 tries per hour, they have it in 1667 hours (69.4 days).

Never use the same password on multiple sites. The person who steals your library password should have no way to get into your bank account! Use software to store your multiple passwords. Of course use the strongest password you can remember for this software, if you forget it you lose access to all your passwords. Maybe use a word you can remember followed by a special character (! is most common, so don’t use it) followed by a number you think you can remember, and write down only the number. (No, not your birthday or the last 4 of your social security number! Or “take my favorite song and use the first letter of each word of the first verse and chorus” or similar pattern. Also use this software for storing your made-up answers to “what is the name of your first pet”.) WindowsMaciOSAndroid.

Sucuri Security Plugin generated this list. SSP has the option to email you of failed login attempts. Turn those off, you don’t want to know. (I alerted Sucuri of a bug, I got over 16,000 emails during the 10 hour attack.)

Failed logins

This information will be used to determine if your site is being victim of a brute-force attack using the password guessing technique. Multiple failed logins will be considered part of the attack if there are more than 30 during the same hour, that’s why you will only see (in this table) information of the last hour, previous reports will be sent to your email if you checked the alert option in the settings page to receive notifications of brute-force attacks.

The option to notify possible password guessing attacks is disabled, failed logins reports will not be sent to your email when they occur. Go to the notification settings to enable the brute-force attack alerts.